<html><head>

<meta name="Generator" content="Novell Groupwise Client (Version 18.2.1  Build: 135777)">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head>
<body style="font: 10pt/normal Segoe UI; font-size-adjust: none; font-stretch: normal;"><div class="GroupWiseMessageBody" id="GroupWiseSection_1590067611000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><div>Thanks Jules!  I had to correct a part of my ldap cert setup and now ldapsearch works correctly and zendto works correctly.  Interestingly enough, I can now set authLDAPUseSSL to true or false and it works fine both ways.  I think I was staring at it too long yesterday.  A fresh look this morning and I realized what I had overlooked.</div><div><br></div><div>Thanks again for a great product!</div><div><br></div><div>Ken<br></div>
  
    
  
  <div class="GroupWiseMessageBody" id="GroupWiseSection_1590052971000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules <Jules@Zend.To> 5/21/2020 5:22 AM >>><br></span><div>
    Ken,<div><br></div><div>
    </div><div>
    The UseSSL setting was for running it on a different port.</div>
    It turns out the <a class="moz-txt-link-freetext" href="ldaps://server_ip_address">ldaps://server_ip_address</a> option (should use port
    636 by default) is better. And as it's a ldap<b>s</b> URL, it will
    use SSL/TLS anyway.<div><br></div><div>
    So you can safely leave authLDAPUseSSL set to false. It's
    over-ridden by the use of an ldaps URL.</div><div>
    </div><div>
    Cheers,</div><div>
    Jules.</div><div>
    </div>
    <div class="moz-cite-prefix">On 20/05/2020 22:36, Ken Etter wrote:<br>
    </div>
    <blockquote cite="mid:WM!ff197050eb6f73e050b76a3efe03c27353cb837a26948fa2bef4204654b62eb9a656d75fd4c20ca46cf370a3f25433dd!@mx.jul.es" type="cite">
      <meta name="Generator" content="Novell Groupwise Client (Version         18.2.1 Build: 135777)">
      
      <div class="GroupWiseMessageBody" id="GroupWiseSection_1590009938000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
        <div>Jules,<br>
          I'm not running AD, but I do want to get SSL working with my
          LDAP server.  I configured everything and tested with
          ldapsearch from my ZendTo server and ldapsearch works.  The
          command line I am using to test is:</div>
        <div><br>
        </div>
        <div>ldapsearch -H <a href="ldaps://server_ip_address:636" moz-do-not-send="true">ldaps://server_ip_address:636</a> -x
          -D "<my_user_name>" -w <my_password> -b
          "<my_searchbase>" -s sub -a always "(objectClass=User)"
          cn</div>
        <div><br>
        </div>
        <div>That returns the correct info.  I modified the LDAP section
          trying both of these:</div>
        <div><br>
        </div>
        <div>'authLDAPServers'       =>
          array('<a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a><server_ip_address>:636'),</div>
        <div>
          <div>'authLDAPServers'       =>
            array('<a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a><server_ip_address>'),</div>
        </div>
        <div><br>
        </div>
        <div>Both work as long as 'authLDAPUseSSL' is set to false . 
          But as soon as I set 'authLDAPUseSSL' equal to true and
          restart apache, ZendTo complains that it cannot connect.</div>
        <div><br>
        </div>
        <div>Any suggestions?</div>
        <div>Ken<br>
        </div>
        <div class="GroupWiseMessageBody" id="GroupWiseSection_1589994770000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules
            <a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To"><Jules@Zend.To></a> 5/20/2020 1:12 PM >>><br>
          </span>
          <div> Ken,
            <div><br>
            </div>
            <div> </div>
            <div> You almost certainly want to do the change that will
              be needed for Active Directory in the Autumn (the Fall).</div>
            <div> Basically you leave the UseSSL settings set to false,
              but change the server hostname by putting <a class="moz-txt-link-rfc2396E" href="ldaps://" moz-do-not-send="true">"ldaps://"</a> on the front of
              it.</div>
            <div> </div>
            <div> If it is complaining about the certificate, then I
              guess you are using a locally-signed cert on your LDAPS
              server(s). In which case, take a look at the
              troubleshooting guide linked from the 2nd paragraph of</div>
            <div> <a class="moz-txt-link-freetext" href="https://zend.to/activedirectory.php" moz-do-not-send="true">https://zend.to/activedirectory.php</a></div>
            <div> </div>
            <div> Also, that page talks about what you need in
              preferences.php and your ldap.conf. Both the LDAP and AD
              authenticators use the same library, as querying AD is
              basically the same as LDAP just with the odd minor
              modification to the code.</div>
            <div> </div>
            <div> Cheers,</div>
            <div> Jules.</div>
            <div> </div>
            <div class="moz-cite-prefix">On 20/05/2020 17:23, Ken Etter
              wrote:<br>
            </div>
            <blockquote cite="mid:WM!c6bb4e935bab58d34c046cc87631a6bd628a4d14f25ac3ec616fbd23b990b74f9341c29e8860ba91a1cc6dc4df82b35c!@mx.jul.es" type="cite">
              <meta name="Generator" content="Novell Groupwise Client                 (Version 18.2.1 Build: 135777)">
              <div class="GroupWiseMessageBody" id="GroupWiseSection_1589991464000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
                <div>Jules,</div>
                <div>Is there anything special required to get LDAP
                  working with SSL? I tried setting 'authLDAPUseSSL' to
                  true, rebooted and logins fail. I then tried adding
                  the port number (after a colon) to the address in
                  'authLDAPServers' and rebooted and logins still fail.
                  If I use an ldap browser to connect, it works although
                  it does complain about the certificate. Do I need to
                  import the certificate for ZendTo to be able to
                  connect? If so, do you have any directions for this?</div>
                <div><br>
                  Thanks!</div>
                <div>Ken<br>
                </div>
                <div class="GroupWiseMessageBody" id="GroupWiseSection_1589979559000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules <a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To" moz-do-not-send="true"><Jules@Zend.To></a>
                    5/20/2020 8:59 AM >>><br>
                  </span>
                  <div> I always forget about it too!
                    <div><br>
                    </div>
                    <div> And I wrote it :-(</div>
                    <div> </div>
                    <div class="moz-cite-prefix">On 20/05/2020 13:48,
                      Ken Etter wrote:<br>
                    </div>
                    <blockquote cite="mid:WM!ca4469d817e4470a73e4853ab5f6d7340d84c4fe9446705708728955bd673400dfb859b1863fa69f97972e336ef8d230!@mx.jul.es" type="cite">
                      <meta name="Generator" content="Novell Groupwise                         Client (Version 18.2.1 Build: 135777)">
                      <div class="GroupWiseMessageBody" id="GroupWiseSection_1589978827000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
                        <div>Thanks Jules! I completely forgot about
                          that feature. That explains it.</div>
                        <div><br>
                        </div>
                        <div>Ken<br>
                        </div>
                        <div class="GroupWiseMessageBody" id="GroupWiseSection_1589964896000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>>
                            Jules <a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To" moz-do-not-send="true"><Jules@Zend.To></a>
                            5/20/2020 4:54 AM >>><br>
                          </span>
                          <div> Ken,
                            <div><br>
                            </div>
                            <div> </div>
                            <div> ZendTo actively locks out (for 24
                              hours) users who have failed too many
                              login attempts in a day.</div>
                            <div> This protects against hackers using
                              your ZendTo to attempt to find passwords
                              by brute force.</div>
                            <div> </div>
                            <div> There are 2 ways of seeing who is
                              currently locked out, and to manually
                              unlock them immediately:</div>
                            <div> 1. The web interface for an Admin user
                              (it's one of the red buttons).</div>
                            <div> 2. But if you can't get to that, then
                              run /opt/zendto/bin/unlockuser and it will
                              show its command-line usage. You should
                              just be able to run</div>
                            <tt> sudo /opt/zendto/bin/unlockuser -a</tt>
                            <div><br>
                            </div>
                            <div> to unlock every temporarily-locked
                              account.</div>
                            <div> </div>
                            <div> Hope that helps,</div>
                            <div> Jules.</div>
                            <div> </div>
                            <div class="moz-cite-prefix">On 19/05/2020
                              22:28, Ken Etter via ZendTo wrote:<br>
                            </div>
                            <blockquote cite="mid:WM!8f8e5b8d4c23527c2eb3958915c6518cb1fcc1baaac338cccdb8ab8ca53040a5a670830ab713e0e1a0fdf5aa4e178fd9!@mx.jul.es" type="cite">
                              <meta name="Generator" content="Novell                                 Groupwise Client (Version 18.2.1 Build:                                 135777)">
                              <div class="GroupWiseMessageBody" id="GroupWiseSection_1589921280000_KLE">
                                <div>And now it is working again. Since
                                  a trace on my ldap server showed I
                                  wasn't even getting a query from
                                  ZendTo, I decided to see what my
                                  firewall was seeing. ZendTo is
                                  installed in my DMZ. I log into the
                                  firewall and do a couple of logins to
                                  ZendTo with other accounts and watch
                                  what shows up in the firewall. Then I
                                  try my login again and it works and
                                  shows up in the firewall as expected.
                                  I had changed nothing, I just logged
                                  into the firewall to see the activity.
                                  Frustrating not knowing why, but
                                  things are working again. I assume the
                                  firewall between the DMZ and the rest
                                  of the network was the issue, but I
                                  have no idea how or why since it just
                                  started working.</div>
                                <div><br>
                                </div>
                                <div>My apologies for all the clutter on
                                  the mailing list.</div>
                                <div><br>
                                </div>
                                <div>Ken<br>
                                </div>
                                <meta name="Generator" content="Novell                                   Groupwise Client (Version 18.2.1                                   Build: 135777)">
                                <div class="GroupWiseMessageBody" id="GroupWiseSection_1589920870000_KLE"><span class="GroupwiseReplyHeader">>>>
                                    Ken Etter 5/19/2020 4:48 PM
                                    >>><br>
                                  </span>
                                  <div>I have other software that also
                                    does LDAP authentication and my
                                    account works fine there. A trace on
                                    my LDAP server shows the login
                                    happening as expected. So it is as
                                    if ZendTo thinks my account is not
                                    an LDAP account and is trying to
                                    authenticate elsewhere and failing.<br>
                                    <br>
                                    Ken<br>
                                  </div>
                                  <meta name="Generator" content="Novell                                     Groupwise Client (Version 18.2.1                                     Build: 135777)">
                                </div>
                                <div class="GroupWiseMessageBody" id="GroupWiseSection_1589920611000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><span class="GroupwiseReplyHeader">>>>
                                    Ken Etter 5/19/2020 4:41 PM
                                    >>><br>
                                  </span>
                                  <div>Doing some more digging into this
                                    and not making much progress. I was
                                    working on moving ZendTo ldap
                                    authentication from port 389 to port
                                    636 (SSL). Something wasn't working
                                    right, but now my account is locked
                                    out of ZendTo. Doing a trace from my
                                    LDAP server shows that I don't even
                                    get a request from ZendTo. ZendTo is
                                    working for all accounts except
                                    mine. Is there anything at all
                                    within ZendTo that might give me a
                                    clue as to what is going on?<br>
                                  </div>
                                  <span id="GWSignatureSent" style="padding-right: 0px; padding-left: 0px; margin-bottom: 5px; display: block;"><span style="display: block;"><br>
                                      <span style="font-size: 10pt; display: inline-block; -ms-word-wrap: normal;">
                                        <div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><font color="#000000" face="Arial"><strong>Ken
                                              Etter</strong>, System
                                            Administrator</font></div>
                                        <div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><font color="#00abe2" face="Arial">Architectural
                                            Group</font></div>
                                        <div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><font color="#000000" face="Arial">260.432.9337</font><font color="#000000" face="Arial"><span>
                                            </span>|<span> </span></font><a style="border: currentColor; border-image: none; color: rgb(0, 0, 0); text-decoration: none;" href="http://msktd.com/" moz-do-not-send="true"><font color="#000000" face="Arial">msktd.com</font></a></div>
                                        <br>
                                        <div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><a style="border: currentColor; border-image: none; color: rgb(0, 0, 0); text-decoration: none;" href="http://msktd.com/" moz-do-not-send="true"><img style="border: currentColor; border-image: none;" src="cid:VNTBZVADMIBJ.IMAGE_4.png"></a></div>
                                        <div>
                                          <div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><br>
                                          </div>
                                        </div>
                                      </span></span></span><span style="margin-bottom: 5px; display: block;"><br>
                                  </span></div>
                              </div>
                              <div><br>
                              </div>
                              <fieldset class="mimeAttachmentHeader"></fieldset>
                              <pre class="moz-quote-pre" wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to" moz-do-not-send="true">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto" moz-do-not-send="true">http://jul.es/mailman/listinfo/zendto</a>
</pre>
                            </blockquote>
                            <div><br>
                            </div>
                            <pre class="moz-signature" cols="72">Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'Teach a man to reason, and he will think for a lifetime.' - Phil Plait

<a class="moz-txt-link-abbreviated" href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a>
Twitter: @JulesFM
</pre>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                    <div><br>
                    </div>
                    <pre class="moz-signature" cols="72">Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

The current UK shipping forecast:
Shannon, Rockall: South backing southwest 5 to 7, occasionally gale 8 later in
Shannon. Moderate or rough. Rain, showers later. Good, occasionally poor.

<a class="moz-txt-link-abbreviated" href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a>
Twitter: @JulesFM
</pre>
                  </div>
                </div>
              </div>
            </blockquote>
            <div><br>
            </div>
            <pre class="moz-signature" cols="72">Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'One of the deep secrets of life is that all that is really worth
 doing is what we do for others.' - Lewis Carroll

<a class="moz-txt-link-abbreviated" href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a>
Twitter: @JulesFM
</pre>
          </div>
        </div>
      </div>
    </blockquote>
    <div><br></div>
    <pre class="moz-signature" cols="72">Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'Adversity is like a strong wind. I don't mean just that it holds
 us back from places we might otherwise go. It also tears away from
 us all but the things that cannot be torn, so that afterward we see
 ourselves as we really are, and not merely as we might like to be.'
 - Arthur Golden

<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
  </div>

</div></div></body></html>